Many administrators have a simple view of mobile device management: “I don’t need that.” Microsoft hopes to change that attitude by including MDM features as part of Office 365. View this presentation to learn what those features are, how they work, what they can do (and can’t do) to help you manage devices, and how you can use them to reduce the cost and pain of BYOD deployment.

1. Office 365 Mobile Device
Management: What Is It,
and Why Should You Care
Paul Robichaux
Summit 7 Systems
paul.Robichaux@summit7systems.com

2. Introduction

3. The rise of BYOD
• Mobile devices have become ubiquitous
– Blame BlackBerry and Steve Jobs
• Work time has expanded
– “You can work anywhere, anytime” has become “you must”
• Employers are stingy
– If you can get employees to provide their own devices and data plans…

4. The dark side of BYOB
• Your data, their device
– Can’t guarantee physical or data integrity
– Theft, loss, damage are all threats
– Security policies viewed with suspicion and hostility
• Version, device, and application support
• End-to-end troubleshooting

5. BYOD coping strategies*
• Denial
– Don’t allow any user-provided devices
• Barganining
– Allow user-provided devices subject to ToU
• Acceptance
– Perhaps better described as “resignation”
*Anger, depression strategies are options

6. Common MDM tools
• Restrict which devices are allowed to sync
• Restrict which users are allowed to sync
• Restrict what users can sync
• Store all synced content in a separate container

7. The MDM lifecycle
1. Enrollment places a device
under management
2. Configuration applies
settings / policies
3. Secure enforces settings
4. Manage
5. Monitor
Image courtesy Microsoft; https://technet.microsoft.com/en-us/library/mt143184.aspx

8. Exchange ActiveSync
• EAS is both a transport protocol and an MDM protocol
• Designed years ago, it has many limitations
– Doesn’t address many capabilities customers: app policies jailbreak
protection, etc.
– Rate of change is low due to installed base
• But it’s also ubiquitous and cheap
– Great 80% solution

9. Exchange ActiveSync
Pros
• Cheap
• Widely available
• Fully integrated with
Exchange
• Equivalent on-prem/online
feature sets
Cons
• Limited feature set
• Not every device supports
the full protocol
• No integrity protection
• No containerization
• Only supports Exchange

10. MDM Pieces and Parts

11. Surpassing EAS
• Competing MDM solutions have taken significant market
share
• Microsoft’s previous effort was SCMDM
• Second attempt was Intune
• O365 MDM is a subset of Intune

12. What is Intune?
• Microsoft says…
“Intune is a cloud-based service that lets you manage mobile
devices, PCs, and apps so your users can be productive while
you protect your company's information.”

13. What is Intune?
• Part of Enterprise Mobility Suite (EMS)
• Can manage PCs and mobile devices
• Offers mobile app management (MAM)
• We won’t talk about it further in this session

14. What is Office 365 MDM?
• Subset of Intune
– Doesn’t manage PCs
– Doesn’t integrate with SCCM
– Managed using O365 admin center
• Cloud-only
• Provides three main functions
– Conditional access
– Device management
– Selective wipe

15. Conditional access
• Blocks access to Office 365 resources unless policy conditions
are met
– Mail through EAS
– Mail through Outlook
– OneDrive
– Documents through Office apps

16. Device management
• Enforces security policies you specify
• Devices that don’t meet policy may not be allowed to connect
• Policies vary between device families
– E.g. “force encrypted cloud backup” only works on iOS

17. Selective wipe
• EAS wipe erases the entire device
– Users don’t like this
• O365 MDM wipe allows you to choose:
– Wipe the whole device, EAS-style
– Wipe only data that came from O365
– Wipe the device after multiple wrong password attempts

18. What “selective” means
• The Company Portal app is removed
• Data synced into Outlook is removed
• Data synced into OneDrive for Business is removed
• Policy settings are no longer enforced
• Managed email profiles are removed
• The device is removed from the list of managed devices
• Everything else stays

19. Configuring O365 MDM

20. Setting up O365 MDM
• Remember the lifecycle
diagram?
• Turns out there are 2 extra
steps
Image courtesy Microsoft; https://technet.microsoft.com/en-us/library/mt143184.aspx

21. Step 0: Audit devices
• Audit your devices!
• Admins are always surprised by the audit results
– Ancient devices
– Departed employees
• Best way: use Paul Cunningham’s Get-EASDeviceReport.ps1:
http://bit.ly/1zEbJG5

22. Step 0, part 2: Config tenant
• Before you can enroll devices you must configure the tenant
in Office 365
1. Enable MDM in the Mobile Devices tab
2. Configure DNS
3. Configure APNS

23. Enabling feature in tenant
• Go to “Mobile Devices” tab on left nav bar in Office 365
admin portal
• Follow instructions

24. Creating DNS records
• You may already have done this
• Two required CNAME records
– Enterpriseregistration: used to register/re-register devices
• Also used by Workplace Join
– Enterpriseenrollment: used to enroll brand-new devices

25. APNS enrollment
• Apple Push Notification Service needed if you have iOS
devices
• You request a cert then upload it to Apple’s portal

26. The enrollment process
Image courtey Microsoft; “Windows 8.1 Enterprise Device Management Protocol.pdf”

27. Configuring security policies
• You manage policies through the Compliance Center
– Show of hands: who’s been to that page?

28. Policies and groups
• You assign policies to security groups
– So create the groups first
• Single org-wide exclusion group
• Policies apply to users, not devices
– Joe has two iOS devices and a Lumia 950…
– This is different from EAS

29. What do policies do?
• Depends on device OS
– Not every device OS supports every setting
– E.g. “Block access to application store” works on WP + iOS, not
Android
• Depends on your policy setting
– You can allow non-compliant devices or not
• See http://summit7systems.com/office-365-mobile-device-
management-policies/

30. Policy application
• Devices must download policy
– No download, no policy
– Devices that report that they don’t have a policy are blocked
• Up to 6-hour window when you apply a policy to existing
users
– Newly created users get the policy immediately when they’re added to
the target group

31. DEMO: MDM security
policies

32. Enrolling devices
• Automatic enrollment happens when you add a user to a
group that has a policy assigned
• Manual enrollment may require the user to install an app
– iOS: install Company Portal app
– Android: install Company Portal app
– WP8.x: built-in
– Win10: built-in

33. Setting up O365 MDM
• When you add a user to a
group that has a policy
assigned, that user’s devices
will be enrolled
• User must opt in
Image courtesy of MVP Paul Cunningham since I stupidly forgot to bring an iOS device

34. Auto-enrollment
• After user accepts opt-in prompt, they must download and
install Company Portal app for their OS
– Fairly simple process that still may confuse non-technical users

35. New enrollment experience
• MS is rolling out a “new” end user experience
• Users who are blocked by policy get an email with a link to get
the Company Portal app

36. Manage and monitor
• Office 365 admin center shows you enrolled devices and their
states
• Compliance Center device compliance reports
• Third-party reporting tools (e.g. Cogmotive)

37. DEMO: MDM management
and reporting

38. The big picture

39. What should I use?
• O365 MDM replaces EAS
– Any existing EAS policy will be overwritten when you enroll the device
• Intune replaces O365 MDM
– Much broader feature set
– Aggressive bundle pricing through EMS
• Several third-party solutions
– Installed base and feature set drive this decision

40. EAS
• EAS is cheap, cheerful, compatible
– Very wide range of supported devices
– Basic policy management only
– You’re probably already using it
– Don’t expect much future investment
– The split may be coming…

41. Office 365 MDM
• Included in most SKUs
• Good functionality
• Can easily be expanded to Intune

42. Intune
• Tons of functionality
– More complex to deploy and manage